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Annual Trends 



Registered Online Banking Users: Over 25 million 
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Annual Trends - Online Banking Losses (Net) 

• Online banking fraud losses dropped by 22%, from 59.7 in 
2009 to 46.7 million in 2010. 
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Annual Trends - Telephone Banking Losses (Net) 

• Telephone banking fraud losses increased by 5%, from 
12.1 in 2009 to 12.7 million in 2010. 

• Why: The Online Bank channel has become more secure 
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Online Phishing 



• Traditional aka dinosaur phishing continues to increase - up 21% 
from 2009 

• Associated losses haven't followed suit - so concentrated effort by 
Phishers to increase the number of attacks and so success rate 

• Phishers continue to exploit high profile marketing campaigns, 
in particular the banks or tax office 
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Trends - UK Banks Share of Phishing 

We record each UK banks monthly phishing attack figures 

• Levels fluctuate significantly, no real trends. 

• Attack at record high in Dec 2010, over 7000 URLs 

• Banks using static authentication heavily targeted 

• HMRC Tax refund type - big increase 

• Business banking targeted more & more 

• The nature of information captures has increased 
e.g. driving licence number ID theft 
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Trends - UK Banks Share of Phishing 
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Developments in Phishing 



• MITM/Real-time Online Phishing 

- attempt to capture & use victim 2-FA codes in real time. 

- cases compared to traditional phishing low, however high 
success rate high 

• HTML Form Attachment 

- slight resurgence 

• Vhishing 

- VOIP: voice call phishing - increasing 

- pre-captured customer data used to socially engineer victim 



Smishing - SMS Texting to bank customers 
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Malware 



• Zeus Trojan 

- continues to be the most prolific Trojan targeting UK bank customers 

- ever evolving with new variants, version 2.1 currently active 

- can defeat 2-FA (two- factor authentication) services via MITB 

• SpyEye Trojan 

- relatively new and highly sophisticated 

- originally competed with Zeus but now shares the same code 

- infection levels increasing 

Others 

• Gozi, Torpig, Silon, OddJob, Ares, CarBerp 

- Relatively low activity compared to the malware above. 

- Geo specific e.g. Swiss banks targeted heavily by Torpig. 



FdMMill RfMJ faBflftLW, 



Malware - Developments 



ZITMO (Zeus In The Mobile) SMS Intercept... no attacks in UK.... yet 

- attacks banks using out of band authentication; customers are 
sent a one-time passcode or a challenge via SMS 

- Spain, Portugal, Germany, Turkey and Poland all targeted 

- SpyEye also developing SMS interception capabilities 

Automated Malware 

- hard coded money mule accounts 

- high net worth accounts only 

C&C Server Encryption 

- credentials not always held on C&C servers now 
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Malware - Developments Cont- 



Rogue AV 

- highly lucrative 

- fake 'Microsoft' caller scam 

IM applications e.g. Jabber Zeus 

- real time response 

- MITM attacks 

Zero Day Malware 

Sunspot Trojan! 

- hot of the press.... notification in the last 48hrs 

- low AV detection rate 

- Windows Vista & 7 

- targeting a number of institutions globally. 
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Malware & Other Threats Online Banking 

• Attack Techniques against Online Banking Customers 

- HTML screen injects & pop-up e.g. fake balance 

- MITB/MITM to defeat 2-FA 

- SIM Swapping & Number Re-direction 

- Attackers monitor banks thresholds, test & adjust 

- Exploit loop holes/vulnerabilities. 

(e.g. worked out banks 2FAone time code lifetime) 
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Telephone Banking 



Cross channel attacks 

- credentials phished online, subsequently used on the telephone 

banking channel to move funds into mule ace. 

3 rd Party Data Compromises 

- enough customer data compromised to socially engineer victim. 

- Fake 'Microsoft' technical support calls - not strictly banking attack 

Social Engineering (Root cause) 

- call centre staff & customers elderly and non English speaking 

- with little information fraudsters successfully utilise these 
techniques. (Man in lab coat scenario) 
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Money Mule -Activity 



• The Bottleneck 

- lots of credentials not 
enough mule accounts 

• Money Mule categories 

1 . Professionals 

2. Dubious; student, low- 
Income 

3. Unsuspecting 
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Money Mule -Activity Cont 



• Typically Eastern European - 
Baltic states 

• Recently: South-Asian 
individuals 

• Pre-Paid card accounts - lack of 
KYC 

• Use of SEPA 

(Single European Payments Area) 
international mule payments to EU 
countries - Germany to UK Mules 
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Industry Challenges 



Phishing 

- takedown speed; first hour of existence is critical. 

- phishing hosted on legitimate site - owner cooperation required 

- as always.... bullet proof hosting still a problem 

- Customer data compromises e.g Play.com - Spear phishing 

- customer awareness; although attitudes are changing 

Malware 

- continues to evolve with our industry disruption & prevention 
efforts. 

- Underground forums littered with Mai code, bots, credentials & 
attack services for sale: REAL UNDERGROUND ECONOMY 

- easy migration to new platforms - Mobile & Tablet devices. 
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Industry Challenges - Cont 



• Money Mules 

- reviewing account opening procedures 

- educate on illegality of this crime... NOT a quick & easy buck! 

- Faster international payments directive (SEPA) 

• Social Engineering 

- Root cause of success for attacks - how do we tackle? 

• Education & Awareness 

- balance between consumer awareness & negative impact on 
consumer confidence 

• Other 

- working with TelCos to combat number & SIM redirection 

- Aggregated payment services e.g. Direct eBanking 
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Mitigation - To Consider 



Strength in defence - The Multi- 
Layered back end approach 

- Device ID & IP address monitoring 

- Browser string monitoring 

- Transaction monitoring 

- Account profiling 

- Voice BioMeterics 

Banks can also put a stronger lock 
on the front door 

- Free AV & Browser products 
-2FAorOutof Band 
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To Consider cont - 



Effect on Phishing by introducing 2-FA 

not the silver bullet - but certainly a deterrent 



2-FA 
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Source: UK Payments 2009 



Industry Mitigation Efforts 



UK Payments - Remote Banking Fraud Group 

- Understanding the threat the UK banks face now & ahead; 
improving Ml collection, reporting, research and collaboration. 

- Provide a trusted forum for the banks - promoting 
open discussions & information sharing. 



Dedicated Law Enforcement - PCeU - Police Central eCrime Unit 
(12-80 strong team now) 

- Individuals linked to SpyEye, Zeus & PSP2 BBB Trojan arrested in UK 

- Educating Judges & Prosecutors on eCrime & its impact 
(Uni Dublin education initiative). 
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Stakeholder Efforts - Zeus Arrests 



PCeU- 19 Arrests in UK 
FBI -119 in USA 
Ukraine - 5 arrests 



Zeus Activity Tracker 
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-Active ZeuS domains - Online ZeuS binaries -Online ZeuS configs - Online ZeuS dropzones 
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Industry Mitigation Efforts 



Collaboration with: 

- EU banking forums, Law Enforcement and other 
Government agencies 

- Anti-Virus & other online security service providers 

- Security researchers 

- Global financial & Law enforcement community - 
via a weekly call & mailing lists (over 100 members) 

(The Fraternitas eCrime prevention Group) 
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Threat Horizon - Whats Next 



Mobile Phone Banking 

- mobile phone malware in the wild confirmed 

- testing already begun 

- consumers exploiting the technology, make 
themselves vulnerable -Jail breaking IPhones 

• What are we doing in prep: 

- engaging with the WAC (Wholesale App 
Community) - controls on malicious apps 

- GSMA: Global Telcoms body 

- exploring products & solutions e.g. Mobile AV 
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IN SUMMARY 



• Online banking attacks via Phishing & Malware continue to increase 
However, as reported the losses have not followed suit. 

• As online banking becomes more secure, other channels are 
inevitably targeted i.e. telephone banking 

• Collaboration & information sharing is vital to address the threats 

- Banks should not treat Security as a competitive issue.... lets talk 

• A new focus from governments towards eCrime prevention 

Finally No silver bullet, a multi layered security approach is the 

way. 
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Thank you... 

Everyone & 
AusCERT for 
inviting us 



Bank Safe Online 



Any Question ; 



www. banksafeonline. org. uk 

the UK banking industry 

initiative to help online banking 

users stay safe online 



